Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help... Looks clean, but it won't DIE. [RESOLVED]


  • This topic is locked This topic is locked

#16
Guest_usetobe_*

Guest_usetobe_*
  • Guest
please identify what they are finding
  • 0

Advertisements


#17
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\rdsndin.exe

This is the second time Ewido has found and 'cleaned' these two.

Follow up to this post: After launching IE to post this reply, my favorites have just been changed again.

Edited by badaxe, 16 June 2005 - 07:12 AM.

  • 0

#18
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please download the free MWAV antivirus tool from here:
ftp://ftp.microworldsystems.com/download/tools/mwav.exe

This scan might take around 3+ hours to finish when set to scan everything. I need you to run MWav, put a check next to below items before scanning:

*Memory
*Startup Folders
*Drive - All Local Drives
*Folder - then click "browse" to change the directory to C: (default is C:\Windows)
*Registry
*System Folders
*Services
*Include Sub-Directory
*Scan All Files

Please make sure ALL of these are checked, then press the scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

Highlight the portion of the scan that lists infected items and hold CTRL + C to Copy then paste it here. The whole log will be extremely BIG so there is no way to copy the whole thing. I just need the infected items list.
  • 0

#19
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Ok, I'll get started. As I am at work now, I don't know if I'll have 3+ hours to leave my system alone. It may be later tonite before I can scan and reply.

I just ran KillBox again; rather than try to delete on reboot I wanted to see if it could find the files. It could not find any of the files for deletion-- except one (drv2cltr.dll) which it tried, but could not delete while running.

So I set this file for delete on reboot; now KillBox can not find any of the files.

I just tested again (after launching IE, which seems to be the catalyst for reinfection) and it still cannot find any of these files.

Now I'll run the MWav.

Thanks for hanging in with me.

EDIT: Should I disable Ewido while running MWav?

Edited by badaxe, 16 June 2005 - 07:49 AM.

  • 0

#20
Guest_usetobe_*

Guest_usetobe_*
  • Guest
disabling ewido shouldn't be necessary
  • 0

#21
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
There was no quick and easy compilation of infected files. The final readout was this:

Thu Jun 16 11:26:00 2005 => ***** Scanning complete. *****

Thu Jun 16 11:26:00 2005 => Total Objects Scanned: 82675
Thu Jun 16 11:26:00 2005 => Total Virus(es) Found: 6
Thu Jun 16 11:26:00 2005 => Total Disinfected Files: 0
Thu Jun 16 11:26:00 2005 => Total Files Renamed: 0
Thu Jun 16 11:26:00 2005 => Total Deleted Objects: 0
Thu Jun 16 11:26:00 2005 => Total Errors: 58
Thu Jun 16 11:26:00 2005 => Time Elapsed: 01:29:23
Thu Jun 16 11:26:00 2005 => Virus Database Date: 2005/06/13
Thu Jun 16 11:26:00 2005 => Virus Database Count: 134428

Thu Jun 16 11:26:00 2005 => Scan Completed.


I had to go through the log to find the following items:

Thu Jun 16 09:57:18 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Thu Jun 16 09:57:35 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Thu Jun 16 09:57:35 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 09:58:36 2005 => System found infected with iSearch Spyware/Adware (patch.exe)! Action taken: No Action Taken.
Thu Jun 16 09:58:36 2005 => Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Thu Jun 16 09:56:50 2005 => File C:\PROGRA~1\TightVNC\VNCHOOKS.DLL tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.b. No Action Taken.

Thu Jun 16 10:17:52 2005 => File C:\Program Files\TightVNC\VNCHooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.b. No Action Taken.

Thu Jun 16 10:57:34 2005 => File D:\BEN\Nailfix\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.

Thu Jun 16 10:57:34 2005 => File D:\BEN\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.

I don't know how many of the following items are relevant, but I have marked on in red that has come up before.

Thu Jun 16 09:58:36 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Thu Jun 16 09:58:36 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object

"C:\WINNT\Downloaded Program Files\ITDetector.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:36 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object

"C:\WINNT\Downloaded Program Files\McUpdatePortal.dll". Action Taken: No Action Taken.

Thu Jun 16 09:58:36 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object

"C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.

Thu Jun 16 09:58:40 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object

"C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.

Thu Jun 16 09:58:40 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object

"C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\MSVCP60.DLL". Action Taken: No Action Taken.

Thu Jun 16 09:58:51 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object

"C:\WINNT\Downloaded Program Files\ITDetector.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:51 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object

"C:\WINNT\Downloaded Program Files\McUpdatePortal.dll". Action Taken: No Action Taken.

Thu Jun 16 09:58:52 2005 => Entry "HKCR\CLSID\{00020D05-0000-0000-C000-000000000046}" refers to invalid object "outex.dll".

Action Taken: No Action Taken.

Thu Jun 16 09:58:53 2005 => Entry "HKCR\CLSID\{0368BFF0-9870-11D0-94AB-0080C74C7E95}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:53 2005 => Entry "HKCR\CLSID\{06B060EC-4EE4-11D1-9E55-00A0C925E994}" refers to invalid object

"C:\WINNT\System32\connsvc.dll". Action Taken: No Action Taken.

Thu Jun 16 09:58:53 2005 => Entry "HKCR\CLSID\{0982A313-556D-43CA-840D-FE3F749EE2FC}" refers to invalid object

"C:\WINNT\system32\loihz.dll". Action Taken: No Action Taken.


Thu Jun 16 09:58:53 2005 => Entry "HKCR\CLSID\{109082D0-3F26-11D4-879D-C00F5BC10000}" refers to invalid object

"D:\BEN\TMapper080\SCROLLBOX.OCX". Action Taken: No Action Taken.

Thu Jun 16 09:58:54 2005 => Entry "HKCR\CLSID\{1D1237A0-6CD6-11d2-96BA-00104B242E64}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:54 2005 => Entry "HKCR\CLSID\{1E6CEEA1-FB73-11CF-BD76-00001B27DA23}" refers to invalid object

"C:\WINNT\System32\loginsvc.dll". Action Taken: No Action Taken.

Thu Jun 16 09:58:54 2005 => Entry "HKCR\CLSID\{2AFA62E2-5548-11D1-A6E1-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{2FEB9591-50CF-11D1-A6DF-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{31C48C31-70B0-11d1-A708-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{31C48C32-70B0-11d1-A708-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{38911D8E-E448-11D0-84A3-00DD01104159}" refers to invalid object

"D:\BEN\TMapper080\COMCT332.OCX". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{38911D90-E448-11D0-84A3-00DD01104159}" refers to invalid object

"D:\BEN\TMapper080\COMCT332.OCX". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}" refers to invalid object

"D:\BEN\TMapper080\COMCT332.OCX". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{39A2C2A6-4778-11D2-9BDB-204C4F4F5020}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{39A2C2A9-4778-11D2-9BDB-204C4F4F5020}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:55 2005 => Entry "HKCR\CLSID\{3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:56 2005 => Entry "HKCR\CLSID\{49FC0185-4B32-11d1-A40E-00600831F336}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:57 2005 => Entry "HKCR\CLSID\{54CC7386-7F19-EBC4-6597-C7671A7B6567}" refers to invalid object "progmen.dll".

Action Taken: No Action Taken.

Thu Jun 16 09:58:57 2005 => Entry "HKCR\CLSID\{56336BCA-3D8A-11d6-A00B-0050DA18DE71}" refers to invalid object

"C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\InfoWindow.dll". Action Taken: No Action Taken.

Thu Jun 16 09:58:57 2005 => Entry "HKCR\CLSID\{5C85DCB0-F967-11D0-81ED-00C04FC99D4C}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:59 2005 => Entry "HKCR\CLSID\{847B4DF5-4B61-11D2-9BDB-204C4F4F5020}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:59 2005 => Entry "HKCR\CLSID\{89643D21-7B2A-11d1-8271-00A0C91F9CA0}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:59 2005 => Entry "HKCR\CLSID\{8A3F59E1-4994-11D1-A40D-00600831F336}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:59 2005 => Entry "HKCR\CLSID\{8C4EB103-516F-11D1-A6DF-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:59 2005 => Entry "HKCR\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:58:59 2005 => Entry "HKCR\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:00 2005 => Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll".

Action Taken: No Action Taken.

Thu Jun 16 09:59:00 2005 => Entry "HKCR\CLSID\{9C2263B0-3E3C-11D2-9BD3-204C4F4F5020}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:00 2005 => Entry "HKCR\CLSID\{9F4D2FA2-54A1-11d1-8267-00A0C91F9CA0}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:00 2005 => Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object

"C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.

Thu Jun 16 09:59:00 2005 => Entry "HKCR\CLSID\{AE1A5812-5230-11D1-A6E0-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:00 2005 => Entry "HKCR\CLSID\{AE1A5813-5230-11D1-A6E0-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:01 2005 => Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax".

Action Taken: No Action Taken.

Thu Jun 16 09:59:01 2005 => Entry "HKCR\CLSID\{BB314F91-A010-11d1-A75A-006097C4E476}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:01 2005 => Entry "HKCR\CLSID\{C0CD59AE-020D-11d1-81F2-00C04FC99D4C}" refers to invalid object

"C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:03 2005 => Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object

"C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.

Thu Jun 16 09:59:03 2005 => Entry "HKCR\CLSID\{E98C1933-E311-11D0-979B-00001B1E46FE}" refers to invalid object

"C:\WINNT\System32\axprf.ocx". Action Taken: No Action Taken.

Thu Jun 16 09:59:06 2005 => Entry "HKCR\AcroPDF.PDF" refers to invalid object "{CA8A9780-280D-11CF-A24D-444553540000}". Action

Taken: No Action Taken.

Thu Jun 16 09:59:06 2005 => Entry "HKCR\AcroPDF.PDF.1" refers to invalid object "{CA8A9780-280D-11CF-A24D-444553540000}".

Action Taken: No Action Taken.

Thu Jun 16 09:59:06 2005 => Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}".

Action Taken: No Action Taken.

Thu Jun 16 09:59:11 2005 => Entry "HKCR\InDesign.Application.CS" refers to invalid object

"{7F5C34B5-175B-4479-A56C-73D752368A8F}". Action Taken: No Action Taken.

Thu Jun 16 09:59:12 2005 => Entry "HKCR\Microsoft.MSOLAPExtLevels.2" refers to invalid object

"{579AD47A-852D-797C-3487-75C4602145C8}". Action Taken: No Action Taken.

Thu Jun 16 09:59:16 2005 => Entry "HKCR\SAPGUI.ResourceManagerDefault" refers to invalid object

"{00100000-2003-1003-8D59-B2E1C7CAA060". Action Taken: No Action Taken.
  • 0

#22
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here is what I just cut and pasted out of the "Virus Log Information" window of MWAV (as opposed to out of the log):

File C:\PROGRA~1\TightVNC\VNCHOOKS.DLL tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.b. No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\ITDetector.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\McUpdatePortal.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\Msvcrt10.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\_ISTMP1.DIR\_ISTMP0.DIR\FileGrp\MSVCP60.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\ITDetector.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\McUpdatePortal.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00020D05-0000-0000-C000-000000000046}" refers to invalid object "outex.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0368BFF0-9870-11D0-94AB-0080C74C7E95}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{06B060EC-4EE4-11D1-9E55-00A0C925E994}" refers to invalid object "C:\WINNT\System32\connsvc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0982A313-556D-43CA-840D-FE3F749EE2FC}" refers to invalid object "C:\WINNT\system32\loihz.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{109082D0-3F26-11D4-879D-C00F5BC10000}" refers to invalid object "D:\BEN\TMapper080\SCROLLBOX.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1D1237A0-6CD6-11d2-96BA-00104B242E64}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1E6CEEA1-FB73-11CF-BD76-00001B27DA23}" refers to invalid object "C:\WINNT\System32\loginsvc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2AFA62E2-5548-11D1-A6E1-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2FEB9591-50CF-11D1-A6DF-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{31C48C31-70B0-11d1-A708-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{31C48C32-70B0-11d1-A708-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{38911D8E-E448-11D0-84A3-00DD01104159}" refers to invalid object "D:\BEN\TMapper080\COMCT332.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{38911D90-E448-11D0-84A3-00DD01104159}" refers to invalid object "D:\BEN\TMapper080\COMCT332.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{38911D92-E448-11D0-84A3-00DD01104159}" refers to invalid object "D:\BEN\TMapper080\COMCT332.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{39A2C2A6-4778-11D2-9BDB-204C4F4F5020}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{39A2C2A9-4778-11D2-9BDB-204C4F4F5020}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{49FC0185-4B32-11d1-A40E-00600831F336}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{54CC7386-7F19-EBC4-6597-C7671A7B6567}" refers to invalid object "progmen.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56336BCA-3D8A-11d6-A00B-0050DA18DE71}" refers to invalid object "C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\InfoWindow.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5C85DCB0-F967-11D0-81ED-00C04FC99D4C}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{847B4DF5-4B61-11D2-9BDB-204C4F4F5020}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{89643D21-7B2A-11d1-8271-00A0C91F9CA0}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8A3F59E1-4994-11D1-A40D-00600831F336}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8C4EB103-516F-11D1-A6DF-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8E718888-423F-11D2-876E-00A0C9082467}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8E71888A-423F-11D2-876E-00A0C9082467}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9C2263B0-3E3C-11D2-9BD3-204C4F4F5020}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9F4D2FA2-54A1-11d1-8267-00A0C91F9CA0}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AE1A5812-5230-11D1-A6E0-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AE1A5813-5230-11D1-A6E0-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB314F91-A010-11d1-A75A-006097C4E476}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C0CD59AE-020D-11d1-81F2-00C04FC99D4C}" refers to invalid object "C:\WINNT\System32\msdxm.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E98C1933-E311-11D0-979B-00001B1E46FE}" refers to invalid object "C:\WINNT\System32\axprf.ocx". Action Taken: No Action Taken.
Entry "HKCR\AcroPDF.PDF" refers to invalid object "{CA8A9780-280D-11CF-A24D-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\AcroPDF.PDF.1" refers to invalid object "{CA8A9780-280D-11CF-A24D-444553540000}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\InDesign.Application.CS" refers to invalid object "{7F5C34B5-175B-4479-A56C-73D752368A8F}". Action Taken: No Action Taken.
Entry "HKCR\Microsoft.MSOLAPExtLevels.2" refers to invalid object "{579AD47A-852D-797C-3487-75C4602145C8}". Action Taken: No Action Taken.
Entry "HKCR\SAPGUI.ResourceManagerDefault" refers to invalid object "{00100000-2003-1003-8D59-B2E1C7CAA060". Action Taken: No Action Taken.
File C:\Program Files\TightVNC\VNCHooks.dll tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.b. No Action Taken.
File D:\BEN\Nailfix\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File D:\BEN\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
  • 0

#23
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi again,

Files to paste into killbox

C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\InfoWindow.dll
C:\WINNT\system32\loihz.dll
C:\WINNT\System32\WBEM\WBEMSTUB.DLL


Once thats done

Start>run>type regedit

Locate the following

hkey_Local_Machine_software_Microsoft_Downloadmanager

In the righthand box delete any entries for AltNet Spyware and iSearch if found

Exit regedit utility.

Rescan with Ewido and post log back
  • 0

#24
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
For some reason KillBox will not recognize (or allow) me to paste multiple files from the clipboard into the entry.

Registry entry contains only the default entry.

Edited by badaxe, 16 June 2005 - 12:32 PM.

  • 0

#25
Guest_usetobe_*

Guest_usetobe_*
  • Guest
put them into notepad the copy to clipboard by pressing ctrl C
  • 0

Advertisements


#26
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Seem to be copying to the clipboard ok (I can copy and paste them inside notepad).


Back in KillBox, when I use "Paste From Clipboard" nothing happens. Empty entry cell.

If I right click "Paste" then I get one entry, but not all three.

If I hit Ctrl-V I get one entry.

If I try pasting and killing them one at a time (without reboot) I get "File Does Not Seem to Exist."
  • 0

#27
Guest_usetobe_*

Guest_usetobe_*
  • Guest
if that doesn't work, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
  • 0

#28
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Well this is interesting.

Followed your above advice to paste one at a time and reboot after the last one.

After I hit "YES" for reboot, I got an error:

PendingFileRenameOperations Registry Data has been removed by External Process!

Because I did not recognize this screen (which had an OK button and an X close button) I just closed it.

On opening IE back up to post this reply, Ewido found and 'cleaned' rdsndin.exe and cisvvc.exe again.

Ah, and it has updated my favorites... again.

I'll wait a reply before I try anything at all.
  • 0

#29
Guest_usetobe_*

Guest_usetobe_*
  • Guest
You should have ok'd it.

Please uninstall microsoft antivirus, you can reinstall it once we have completed what we need to do. Also remove the internet explorer policy restrictions you set up.

Then again carry out the killbox procedure and ok it if you get PendingFileRenameOperations Registry Data has been removed by External Process warning
  • 0

#30
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Add these two to killbox again :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP